Password Complexity Standard

Download the PDF version of the Remote Access User Standard.  

Standard Information

Responsible Offices

IT Security Office (ITSO)

Additional Information

• Data Stewardship (University Policy Number 1114)
• Responsible Use of Computing (University Policy Number 1301)
• Information Technology Security Program (University Policy Number 1311)
• Information Technology Security Standard (ITS.ITS-STD003)
• Payment Card Industry Data Security Standard

Document Control Number

ITS.ITSO-STD008

Last Reviewed Date

3/22/2024

Applies To

This standard applies to every faculty member, staff member, student, temporary employee, contractor, outside vendor, and visitor to campus (i.e., user) that authenticates to university-owned computing systems or devices.

Purpose

The purpose of this standard is to define the user password requirements or electronic access to George Mason University’s workstations and systems. This standard is designed to minimize the potential exposure to George Mason University from damages that may result from unauthorized use of George Mason University resources. Damages include the loss of highly sensitive or university confidential data, intellectual property, damage to Reputation, and damage to critical George Mason University systems.

Definitions

Highly sensitive data is data that, if exposed, could lead to identify theft or exposure of personal health information, financial theft, or otherwise have significant adverse impact on the university.

Password Complexity Standard

Your password:

• Cannot be your first, middle, or last name
• Cannot be your username/netID
• Cannot be reused
• Must not use dictionary words
• Must not be easily guessed
• Must not include repeated characters, such as AAA or 555
• Must not include alphabetic sequences, such as abc or CBA
• Must not include numeric sequences, such as 123 or 321
• Must not use common keyboard sequences, such as QWERTY or password
• Must be at least 10 and no more than 30 characters long

Only the characters specified below may be used and the password must include 3 out of 4 of the following
character classifications.

• Upper case: ABCDEFGHIJKLMNOPQRSTUVWXYZ
• Lower case: abcdefghijklmnopqrstuvwxyz
• Numbers: 1234567890
• Special characters: _!#$%”@

The password selected will be tested against a pro-active password checker library, which tests passwords for effectiveness (e.g., cracklib).

Change your password as requested. An email reminder will be sent to the account owner about 30 days before the password expires. For increased security, change your password frequently.

For PCI Compliance

If you authenticate directly to systems, devices, or workstations that are in scope for Payment Card Industry Data Security Standard compliance you must also:

• Change your password at least every 90 Days
• Include both letters and numbers in the password/passphrase

Exceptions

None

Timetable for Review

This standard will be reviewed every 2 years at a minimum.

Revision History